White Paper: Assessing Your System Risks Before Attackers Do